Transcription
OGP Cloud Services Procurement Guidance NoteCloud Services ProcurementGuidance NoteFebruary 2021Page 1 of 4309/02/2021
OGP Cloud Services Procurement Guidance Note09/02/2021Contents1.Glossary of Terms Used. 32.Introduction . 53.4.2.1.Background to the Guidance Note . 52.2.Guidance Note Context . 72.3.Overview of Cloud Contracts. 82.4.Pre-Market Engagement . 8Cloud Services Contract Considerations . 103.1.Overview of CSP Contractual and Commercial Provisions . 103.2.An Introduction to Key Contractual and Commercial Terms . 12Introduction to the Cloud Services Contractual and Commercial Checklist . 15Appendix 1: Cloud Services Contractual and Commercial Checklist . 16Contractual and Commercial Considerations – Section 1. 16Contractual and Commercial Considerations – Section 2. 27Contractual and Commercial Considerations – Section 3. 31Contractual and Commercial Considerations – Section 4. 39Appendix 2: Cloud Services Data Protection Guidelines . 43Schrems II CJEU Judgment . 43This document is provided for guidance and information purposes only. The document willbe subject to amendment and review periodically and the most up to date version will bepublished on the OGP website www.ogp.gov.ie. The document is not intended as legaladvice or a legal interpretation of Irish or EU law on public procurement.Page 2 of 43
OGP Cloud Services Procurement Guidance Note09/02/20211. Glossary of Terms UsedTermApplication ProgrammingInterfaceCloud Service ProviderCSP AgreementData Protection mation andCommunicationsTechnologyInfrastructure as aService1ICTIntellectual PropertyRightsIPRIT Infrastructure LibraryKey PerformanceIndicatorMulti-tenant1ITILKPIPlatform as a Service1IaaSMultitenantPaaSPSB Services ContractRecovery Point ObjectiveRPORecovery Time ObjectiveRTORequest for InformationRFIRequest for TenderRFTReseller1Explanation of TermA software mechanism that allows applications interact withand obtain data from each other.Any supplier of “Cloud” based computer services where“Cloud” based means a system hosted in a data centre ownedor leased by the supplier and not by the customer.The standard form of CSP contract.An assessment of the impact of potential issues from a dataprotection perspective.The largest Tier 1 CSPs with a global presence and the abilityto scale their services and capabilities indefinitely.The general term for the grouping of information technology(IT) and communications technology.The capability provided to the customer by the CSP is toprovision processing, storage, networks and other fundamentalcomputing resources where the customer is able to deploy andrun software, which can include operating systems andapplications. The customer does not manage or control theunderlying cloud infrastructure but has control over operatingsystems, storage, and deployed applications and, possibly,limited control of networking components (for example, hostfirewalls).This generally covers such intangible assets as patents,industrial designs, trademarks, service marks, trade orbusiness names, domain names and copyrights, includingcopyright in computer programs.A framework of best practices for delivering IT services.A performance metric associated with a service or serviceelement.An architecture in which a single computing resource is sharedbut logically isolated to serve multiple consumers.The capability provided to the customer by the CSP is theability to deploy onto the cloud infrastructure customerapplications created using programming languages, libraries,services and tools supported by the CSP. The customer doesnot manage or control the underlying cloud infrastructure,including network, servers, operating systems or storage, buthas control over the deployed applications and, possibly,configuration settings for the application hosting environment.The form of contract included by the PSB in their tenderdocumentation which sets out the terms and conditions for thecloud services to be provided by the CSP to the PSB.The maximum period of time in which an organisation’s datamight be lost following a major incident.The time to restore data and operations following a majorincident.Generally used as a mechanism for conducting a pre-marketassessment of market and supplier capabilities.Used to solicit tenders from the market in line with PublicProcurement Regulations and guidelines.An organisation that re-sells CSP services.NIST: ons/NIST.SP.500-322.pdfPage 3 of 43
OGP Cloud Services Procurement Guidance NoteService Level AgreementSLASoftware as a Service1SaaSSub-contractorSub-processorSystems IntegratorSITier n cloud serviceproviderTier 1 cloud serviceprovider“Tier n”CSPTier 1CSPTier 2 cloud serviceproviderTier 3 cloud serviceproviderUser Acceptance TestingTier 2CSPTier 3CSPUAT09/02/2021The agreed set of measures, which define the level of serviceto be provided by the CSP. This can include details such asavailability, permitted outages in a given period of time, issueresponse and resolution timelines and associated servicedescriptors.The capability provided to the customer is the ability to use theCSP’s applications running on a cloud infrastructure. Theapplications are accessible from various client devices througheither a thin client interface, such as a web browser (e.g., webbased email), or a program interface. The customer does notmanage or control the underlying cloud infrastructure includingnetwork, servers, operating systems, storage, or evenindividual application capabilities, with the possible exceptionof limited user-specific application configuration settings.An organisation contracted by the CSP to provide serviceswhich may augment or be ancillary to the services provided bythe CSP. The PSB will not normally have a direct contractualrelationship with Sub-contractors.This term is used in this guidance note exclusively in thecontext of data processing and GDPR and relates to a Subcontractor who processes the PSB’s personal data as part ofthe delivery of the CSP services.An organisation that builds and implements ICT solutions for itscustomers, often on platforms that are provided by CSPs.A cloud services provider that is categorised according to itsbrand, size and capabilities.A global CSP which owns the network in which it is the soleoperator and has a direct connection to the internet andnetworks it uses to deliver voice and data services.A regional CSP which may get a portion of its network from aTier 1 CSP.A CSP which gets 100% of its network from Tier 1 or Tier 2CSPs, with no direct access of its own.Final testing by the PSB prior to acceptance of the service.Page 4 of 43
OGP Cloud Services Procurement Guidance Note09/02/20212. Introduction2.1. Background to the Guidance NoteThe Office of the Government Chief Information Officer (OGCIO) published its CloudComputing Advice Note in October 20192. The advice note clearly sets out the approachto be taken by Public Sector Bodies (PSBs) to the adoption of cloud services. The advicenote also outlines the many advantages and benefits associated with the use of cloudservices and provides guidance in relation to the definition, business context, vision andprinciples associated with cloud computing.This guidance note augments the OGCIO Cloud Computing Advice Note2 to the extentthat it provides information with regard to the contractual and commercial considerationsto be taken into account when preparing to procure cloud services.This guidance note should be read in conjunction with the OGCIO Cloud ComputingAdvice Note2, referenced above.The Office of Government Procurement (OGP) recognises that Public Sector Bodies(PSBs) have a need to procure cloud services. OGP has, therefore, produced thisguidance note to provide high-level information and guidance to PSBs when consideringthe procurement of these services. The information provided is not intended to beexhaustive and, if required, PSBs should seek further advice from experts with recognisedrelevant experience.To comply with the Public Procurement Regulations3, PSBs who wish to tender for cloudservices are obliged to provide contract terms and conditions as part of the tenderdocumentation. However, this can pose a challenge when tendering for cloud services fora number of reasons, including: 23cloud service providers (CSPs) may offer differentiated services and their termsand conditions may vary, depending on the specific nature and attributes of theirservices;as shown in the following diagram, cloud services may span a spectrum from, atthe lowest level, infrastructure as a service (IaaS), to platform as a service (PaaS),to software as a service (SaaS). The breadth of CSP obligations andresponsibilities will vary significantly across the different layers of the cloudservices spectrum. This will result in a significant variation in terms and conditionsacross the IaaS/PaaS/SaaS cloud services rishstatutebook.ie/eli/2016/si/284/made/en/pdfPage 5 of 43
OGP Cloud Services Procurement Guidance Note09/02/2021This guidance note provides information and guidance with regard to the contractual andcommercial considerations to be taken into account when procuring cloud services,generally described within this guidance note under the following headings:–Software as a Service (SaaS);–Platform as a Service (PaaS); and–Infrastructure as a Service (IaaS);collectively referred to as “XaaS”4.In summary, cloud computing consists of a set of technologies and service models thatfocus on network-based, on-demand use and delivery of IT applications, processingcapability, storage and memory space. The cloud services utilising these technologies andservice models can be provided by an external service provider or can be delivered inhouse, or a combination of both. They can be provided on a private or shared basis. Itshould be noted that, while PSBs may outsource delivery of a service to a cloud serviceprovider, they remain accountable for the service. It is important, therefore, that PSBsunderstand the risks, as well as the benefits, associated with the use of cloud services.In addition to the technical factors related to cloud computing and the provision of cloudservices by cloud service providers, PSBs need to understand the nature of thecontractual and commercial arrangements that apply when contracting for these services.This applies in particular for PSBs who are coming from a background of self-hosted, onpremises technology environments and may be approaching the cloud services marketfor the first time.The benefits associated with cloud services are clearly set out in the OGCIO Advice Notereferred to above and at a summary level include:–enhanced application functionality may only be available online to cloudcustomers;–ease of upgrades (particularly for SaaS solutions) and continued supportof the service;–attractive upfront costs;note that other “as a service” cloud services – such as Desktop as a Service (DaaS) - are not covered inthis guidance note4Page 6 of 43
OGP Cloud Services Procurement Guidance Note09/02/2021–an alternative option for the replacement of on-premises applications whichmay be reaching their end of life;–limited or no in-house IT support or managed service (although in-house ITservices are still required, for example, configuration);–cloud services may be cheaper when workloads are steady;–cloud may be useful as a cost effective Geo-resilient secondary location(PaaS, IaaS) rather than a secondary on-premises datacentre.This guidance note addresses the key considerations for the acquisition of cloud servicesfrom a commercial and contractual perspective. In all cases, PSBs (contractingauthorities) must ensure that they procure cloud services using public procurementcompetitive processes in accordance with Public Procurement Regulations and nationalpublic procurement guidelines, thereby ensuring open, transparent and non-discriminatoryprocesses.2.2. Guidance Note ContextThe general context of this guidance note is to provide information and guidance to PSBswith regard to:–––procuring cloud services in an informed and legally compliant manner whichenables PSBs to avail of the value inherent in cloud services while also achievingan equitable balancing of risk with CSPs;the general complexity associated with contracting for cloud services; andthe general differences, from a commercial and contractual perspective,between traditional (legacy) ICT contracts and cloud contracts.As this note is for guidance only, PSBs should consult with the relevant cloud servicesmarket and subject matter or other relevant experts in order to gather the informationnecessary to enable them to develop their tender documentation, including contractualterms and conditions. Cloud services - and the contexts in which PSBs may wish to usethem – can be complex; therefore, the knowledge gleaned from a pre-market engagementwill provide for a more informed, efficient and effective procurement process. Pre-marketengagement, including where advice is sought from independent experts or marketproviders, must not confer any unfair advantage on any supplier in any subsequent tenderprocess. The principles of equal treatment and transparency apply.When considering a contract with a CSP there are a significant number of provisions whichdiffer from more traditional ICT contracts for “on premises” solutions. These differencesarise, in the main, as the CSP is likely to be delivering a consolidated set of services to adiverse group of customers. The CSP will, accordingly, endeavour to minimise variationsto key contract terms in order to reduce their exposure to risk and to simplify contractadministration and management across their customer base.This guidance note refers to differences, where relevant, between a “cloud” contract anda legacy ICT contract. The aim is to provide PSBs with information to help to ensure thattheir tender documents contain contractual terms and conditions which are informed andbalanced in terms of the risks which may arise under such contracts. PSBs should seektheir own legal advice when constructing cloud PSB Services Contracts.Page 7 of 43
OGP Cloud Services Procurement Guidance Note09/02/2021The commentary on the contractual terms and conditions which are in scope for thisguidance note is grouped based on the degree of commonality generally seen in themarket. Similarly, the commentary on commercial considerations reflects cloud servicespricing models commonly seen in the market.2.3. Overview of Cloud ContractsMarket analysis indicates that CSPs generally insist that their terms and conditions (forexample, security, data protection, term, termination and exit provisions) take precedenceover any client terms and conditions. This is usually implemented through “click-through”hyperlinks to the CSP’s terms and conditions.This may be challenging for PSBs insofar as it may have the effect of conflicting with theterms and conditions published in the PSB’s tender documentation. In compliance withPublic Procurement Regulations and guidelines, PSBs must publish the terms andconditions which will apply in respect of a contract awarded under a public procurementcompetition. Contractual terms and conditions cannot be subject to substantialmodification thereafter. Accordingly, the PSB terms must take precedence over anyconflicting terms put forward by CSPs and this should be specifically set out in the PSBServices Contract. It is important to note that not all CSPs are amenable to modificationsto their terms and conditions. PSBs should always seek legal advice in relation to anyconflicts between their published terms and conditions and those of the CSP.In some instances, cloud services may be supplied indirectly through resellers, cloudservices brokers or Systems Integrators. These entities act as an intermediary betweenthe cloud services customer and the CSP and, in this role, may be willing to accept risk intheir contracts which would otherwise be borne by the CSP’s customer (in this case thePSB) in a direct sale transaction with the CSP.2.4. Pre-Market EngagementPSBs are encouraged to engage with the market prior to drafting their tenderdocumentation. The most transparent mechanism by which PSBs can conduct marketsoundings is by publishing a Request for Information (RFI). During this pre-marketengagement phase of the public procurement process, PSBs should consider thefollowing:–solution assessment: the output from an RFI process can be used to inform thesolution assessment and in determining the right type of solution to meet the requirements.The solution could be IaaS (with the applications hosted in the cloud but under theownership and control of the PSB), PaaS (with the development and test environment andoperational infrastructure hosted in the cloud) or SaaS (with the full solution – hardware,software, network and security – provided in the cloud and accessed by the PSB usersthrough their mobile or PC/laptop devices).–Data Protection Impact Assessment: the solution assessment should alsoinclude completion of a data protection impact assessment (DPIA) and classification ofthe data which will be migrated to the cloud in terms of its sensitivity, including the impactof a data breach.–risk and benefit analysis: pre-market engagement can provide useful informationPage 8 of 43
OGP Cloud Services Procurement Guidance Note09/02/2021to be used in assessing the risks and benefits that the proposed solution will deliver fromthe perspectives of implementation, control, ease of deployment, accessibility, lifetimecosts and overall business case.–contractual and commercial terms: engagement with the market will assistPSBs in drafting the terms and conditions to be published as part of their tenderdocumentation.Key contractual and commercial factors to be considered are addressed at a more detailedlevel in the checklists in Appendix 1. PSBs are advised to seek expert legal advice whendrafting the PSB Services Contract which is to be included in the tender documentation.Page 9 of 43
OGP Cloud Services Procurement Guidance Note09/02/20213. Cloud Services Contract ConsiderationsCloud services can be complex and the contractual provisions in cloud services contracts definewhat services are to be provided, how they are to be provided and what the pricing arrangementsare for the differing types of cloud services. This section sets the context for the general factorsto be taken into account when entering into contracts with CSPs for the provision of cloudservices.3.1. Overview of CSP Contractual and CommercialProvisionsPSBs need to have a reasonable understanding of the types of provisions that apply to cloudservices contracts and how they differ between IaaS, PaaS and SaaS contracts.This section provides an overview of some key contractual and commercial provisions generallyseen in CSP standard agreements. The overview will help to inform PSBs regarding theprovisions of a typical CSP Agreement, which CSPs will expect to have incorporated into anycontract they enter into with a PSB. PSBs should satisfy themselves that they are familiar withthe content of CSP Agreements in the context of the contractual terms and conditions they arepublishing in the tender documentation and should conduct their own analysis, as required, inorder to ensure that they are so informed.For cloud services contracts, the contractual and commercial considerations are of fundamentalimportance to the apportionment and equalisation of risk and delivery of value across the lifetimeof the contract. Some provisions are more important than others and it is incumbent on PSBs whoare entering into contracts with CSPs to understand the context in which any particular provisionwithin those contracts may apply and its relevance to: the services, the anticipated value beingdelivered through those services and the apportionment of risk between the contracting partiesunder the contract.Key contractual and commercial provisions are described in outline here. More detailed guidanceis provided through the checklists in Appendix 1 and it is recommended that the checklists areused by PSBs to inform the construction of PSB Services Contracts for the provision of cloudservices. CSPs may often be supported by an ecosystem of Sub-contractor partners for thedelivery and ongoing support of the services. These Sub-contractors may have their ownagreements which may be visible to the PSB or, on the other hand, may not be readily visible butare instead contained in downstream agreements referenced through URL links contained in theCSP Agreement.Great care must be taken to understand the structure of the cloud services agreements and therights and obligations of all parties in the delivery of the services. An example of the standardagreements structure provided by a CSP for an enterprise SaaS solution is shown in figure 1. Insome instances, the solution may be delivered by a third party service provider (for example, aSystems Integrator) which may take on a prime contracting role for the implementation of thesolution.Page 10 of 43
OGP Cloud Services Procurement Guidance Note09/02/2021It should be noted that the assessment of CSP terms and conditions should be undertaken in thepre-market assessment phase and the PSB Services Contract should be constructed bearing inmind what is acceptable to the market while also maximising protection for the PSB (particularlyin relation to data protection and security) and ensuring a reasonable balance of risk.Figure 1: Example CSP Enterprise SaaS Agreements StructureIn the example ‘CSP Enterprise SaaS Agreements Structure’ above: the CSP Order Form is the controlling agreement and it takes precedence over the otheragreements. There can be multiple Order Forms under a single Enterprise SaaSAgreement;the Cloud Services Description describes the cloud services to be provided;the Product and Services Supplement, Support Policy and Service Level Agreementdescribe, respectively, the specific products and services to be provided, the supportprovisions and the service level agreement for the services being delivered (containingsuch metrics as availability, incident response times, service credits for service failures);the General Terms and Conditions contain the main body of general legal provisions (term,termination, warranties, liabilities, indemnities);the Data Processing Agreement may specify the CSP’s general obligations in terms ofconformance with data processing laws and regulations (for example, GDPR); andthe Consulting Services Agreement will cover the provision of professionalservices/consulting services for initial implementation of the services and subsequent useof CSP professional services on a project by project basis. These services will generallybe drawn down under specific Statements of Work (SOWs), each of which will have itsown provisions to reflect the deliverables, delivery and payment milestones, acceptanceprocesses, personnel/resource allocations, rate cards for the resource types to bedeployed under the SOW and any specific qualification or augmentation of terms that maybe set out in the “umbrella” Consulting Services Agreement or the General Terms andConditions.Therefore, in addition to the specific provisions that apply in cloud services agreements, PSBsalso need to understand the structure of cloud services agreements including:––how component sub-agreements are constructed;their relevance to each other; andPage 11 of 43
OGP Cloud Services Procurement Guidance Note–09/02/2021the precedence of common or conflicting provisions between the “master” servicesagreement and any component agreements or schedules. This need for understandingapplies in particular in relation to the role of Sub-contractors in the implementation,delivery and support of the services.PSBs have an obligation to comply with Public Procurement Regulations when tendering forproducts and services. This includes providing a PSB Services Contract which ensurescompliance with the Public Procurement Regulations but which will also elicit bids from themarket; this can be a difficult balance to achieve. With an understanding of CSPs’ generalcontractual provisions, PSBs can ensure that the PSB Services Contract published with the tenderdocumentation will be compliant with the Public Procurement Regulations and have a likelihoodof eliciting supplier responses accordingly. As recommended elsewhere in this guidance note,legal advice should be sought when preparing contract documentation for cloud services tenders.3.2. An Introduction to Key Contractual and CommercialTermsContract Term or DurationThe contract term is a key consideration for both parties to the agreement: For the CSP, a long contract term results in guaranteed revenues over the customer lifetime.This helps CSPs maintain and grow revenue while mitigating the negative revenue impacts ofcustomer “churn” - the loss of customers over time due to non-renewal of CSP serviceagreements. Therefore, CSPs will generally have a strong interest in a long, rather than short,contract term and may provide incentives to customers to commit to longer term contracts. For the PSB, a long contract term generally results in guaranteed service provision at a definedprice (subject to variations related to usage, etc.). A longer-term commitment may result insuch incentives as improved pricing and lower total cost of ownership (TCO) over the contractterm. However, ICT market analysts also indicate that the price of CSP services may increasefollowing the initial contract term. PSBs always need to consider whether a long contract termmay have the effect of restricting competition. PSBs should consider the “what-if” factors relating to potential early termination of the contractand how flexible or inflexible CSPs may be in such an event; this will be dictated by how theterm and termination provisions have been defined. PSBs should also consider the potential effect of “lock-in” to a specific CSP and resulting lossof leverage that may ensue at the end of the contract term if the PSB wishes to extend theservice beyond the initial term i.e. avail of any permitted extensions to the contract.Contract TerminationContract termination is a key consideration for both parties. As cloud services contracts are limitedterm contracts which will (unless terminated early, renewed or extended) come to an end at theconclusion of the contract term, a number of key factors need to be considered. These include:–the factors which may result in termination of the contract (for example, normalPage 12 of 43
OGP Cloud Services Procurement Guidance Note––09/02/2021termination at the end of the contract term, early termination due to default or unremediedmaterial breach);the likely consequences of such termination; andthe management of any risks associated with contract termination, includingtransfer/transition of data and services from the CSP back to the PSB or to anotherreplacement CSP.These topics are addressed in further detail in Appendix 1.Exit ManagementCloud-based services create a higher dependency on CSPs than equivalent services deployedon-premises. On-premises deployments of hardware, software and communications capabilitiesare largely under the control of the PSB. In the cloud environment, some or all of these capabilitiesare under the control of the CSP. The extent of this control depends on whether the servicesprovided are IaaS, PaaS or SaaS, with the level of CSP dependency generally increasing as theservices move from IaaS to PaaS and on to SaaS.It is important to fully consider how the transition from a cloud service provided by an incumbentCSP to another CSP, or back on-premises, is managed on expiry or termination of the cloudservices contract. This is addressed through the exit management provisions and associatedprocesses specified in the contract. An exit management plan should be agreed and reviewedregularly with the CSP to ensure that it remains relevant and up-to-date over the full term of thecontract.SecurityKey elements of the security considerations for the provision of cloud services include: data encryption: this must cover, at a minimum, data at rest and data in transit and therequired standard must be set out by the PSB;data location: in general, personal data must not be transferred outside the EEA or, if it isto be transferred outside the EEA, the transfer must be in compliance with the provisionsof Chapter V of the GDPR;under the terms of many standard CSP Agreements the responsibility for data protectionand security remains with the PSB, particularly for IaaS agreements. PaaS and SaaScontracts will likely provide security, backup and recovery as part of the CSP services, butsome service elements may incur an additional charge;private versus public access (VPN versu
The Office of the Government Chief Information Officer (OGCIO) published its Cloud Computing Advice Note in October 20192. The advice note clearly sets out the approach to be taken by Public Sector Bodies (PSBs) to the adoption of cloud services. The advice note also outlines the many advantages and benefits associated with the use of cloud
